This is something that I’ve alluded to in the past, in other articles and blogs.  What is the likelihood of an SME suffering and Scam as opposed to a more technical hack.  There is a lot of evidence to suggest that, for most SMEs, the probability of suffering a scam/social engineering attack is significantly higher than experiencing a sophisticated technical hacking attack.

A useful rule of thumb from cyber insurance claims, law enforcement reporting, and incident response firms is:

• 70–90% of financially damaging incidents affecting SMEs involve people being manipulated (phishing, invoice fraud, CEO fraud, business email compromise, fake suppliers, fake tech support, payment diversion, etc.).
• 10–30% involve primarily technical exploitation (ransomware through unpatched systems, web application attacks, malware exploiting vulnerabilities, credential stuffing, etc.). 

But you can argue that ransomware is often a hybrid of the two, starting often with phishing for credentials, obtaining a login, and then inserting malware.

The exact percentages vary by industry and geography, but the pattern is remarkably consistent.

Why scams are more common

1. Humans are easier to compromise than systems

A criminal can send 10,000 phishing emails in minutes at almost no cost.

Convincing one employee to:

• Click a link
• Approve a payment
• Share credentials
• Change bank account details

is often easier than discovering and exploiting a software vulnerability.

•  SMEs usually have weaker business processes than technology

Many SMEs now use cloud services from companies like Microsoft⁠, Google Workspace⁠, and  Amazon Web Services⁠, which has improved their security.

However, they often lack:

• Payment verification procedures
• Supplier validation processes
• Security awareness training
• Segregation of financial duties
• Generally inadequate security policies

      Criminals exploit these business-process weaknesses.

• Criminals follow the money

A fake invoice scam may generate £20,000–£100,000 with little technical effort, whereas a sophisticated network intrusion might require:

• Research
• Malware development
• Vulnerability exploitation
• Persistence mechanisms

From an attacker’s perspective, scams often provide a better return on      investment.

• Business Email Compromise (BEC) is extremely effective

One of the largest causes of SME losses is BEC:

• Attacker gains access to an email account (often through phishing)
• Watches conversations
• Sends realistic payment instructions
• Diverts funds

Technically, the breach may be simple, but the financial loss comes from deception rather than hacking.

Why technical attacks still matter

Technical attacks tend to receive more media attention because they can be highly disruptive.

Some examples are:

• Ransomware
• Server compromise
• Website defacement
• Data theft
• Supply-chain attacks

Although less frequent than scams, a successful technical attack can have larger operational consequences:

• Business downtime
• Regulatory penalties
• Customer notification costs
• Recovery expenses

What an SME should prioritise

Most, if not all SMEs, will have a limited security budget, and therefore they need to identify the highest-return controls to mitigate their risk. These can include:

• Multi-factor authentication (MFA) on all email and cloud accounts.
• Staff training on phishing and payment fraud.
• Verification procedures for bank account changes and large payments.
• Strong backups and ransomware recovery testing.
• Endpoint protection and automatic patching.
• Monitoring for suspicious login activity.

These measures reduce both scam risk and many technical attack paths.  It’s aways worth remembering that scammers and hacker alike will take the path of least resistance.  The more difficult you make it for them, the more likely they are to look elsewhere.

A practical estimate

For a typical 20–250 person SME and for illustrative purposes, the distribution of financially damaging incidents based on common industry observations is 80 to 20 in favour of scams.

This is not a universal statistic, but it reflects what many cyber insurers, incident responders, and fraud investigators observe in practice, that is that SMEs are generally more likely to lose money because someone was tricked than because a hacker defeated sophisticated technical defences. The most damaging incidents often combine both, such as a phishing email that steals credentials and then enables fraud or ransomware.